I think there is a little confusion, I am aware of a RDP unsuccessful
attempt but my post was enquiring about the log entry with the DOC MAIL in
the security log.

I am wondering what type of connection my orignal example is as there is
very little information presented. My second example showed an
unsuccessful RDP connection which gives us alot of useful information and
I would like to add that an external unsuccessful RDP connection does give
the source network address. This has been very useful tracking down
infected server/pcs.

When your RDP to server from Internet, this is expected behavior, because
the firewall get rid of the information of Source Network Address,
Source
Port and so on. When you RDP from internal, you can see Source Network
Address, Source Port, because the traffic doesn't pass firewall.

The RWW depends on IIS, all the logon attempt starts from IIS, not from
client workstation, so you can see the server is SERVER and user name is
IUSR_SERVER.

I'd like to give you more information on the process NTLMSSP and Advapi.

NTLMSSP is a security support provider that is available on all versions
of
DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for
authentication. NTLM never actually transmits the user's password to the
server during authentication.

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

Relevant Pages

Re: ISA SERVER NOT STARTING... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon...Caller User Name: - ...(microsoft.public.windows.server.sbs)

Re: Event ID 529... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ...Caller User Name: $ ...(microsoft.public.windows.server.sbs)

Re: Logon 529 Errors... connection has been found on the black list, my DNS server...Connection filtering is different from what inna is attempting, ... These are almost surely SMTP logon attempts, ...Caller User Name: DELLSERVER$ ...(microsoft.public.windows.server.sbs)